3.5 Primary account number (PAN) is secured wherever it is stored.
This requirement focuses on securing the primary account number (PAN) wherever it is stored. It ensures that organizations have controls in place to protect stored PAN data through various methods such as encryption, hashing, truncation, or tokenization.
Sub-requirements
3.5. Cryptographic keys used to protect stored account data are managed securely.
Ensure cryptographic keys are generated, distributed, stored, rotated, and destroyed securely to protect stored account data.
Control Types
Key Risks
Frequently Asked Questions
What is required for key management?
Keys must be generated, distributed, stored, rotated, and destroyed securely, with documented policies and assigned roles.
Who should have access to cryptographic keys?
Only authorized personnel with a legitimate business need, and access should be logged and reviewed.
How often should keys be rotated?
At the end of their defined cryptoperiod or if a key is suspected to be compromised.
What tools are recommended for key management?
Hardware Security Modules (HSMs) or other dedicated key management systems.
How should key management policies be maintained?
Policies should be reviewed and updated at least annually or after significant changes.
Common QSA Questions
Can you provide your key management policies and procedures?
Yes, we have documented and approved key management policies covering all aspects of the key lifecycle.
How do you control and monitor access to cryptographic keys?
Access is restricted, logged, and subject to dual control and separation of duties.
How do you ensure key rotation and destruction are performed?
We have automated reminders and logs for key rotation, and destruction is documented and verified.
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy